TechRepublic member dcolbert asks the TR community, "What good is inherently better security through open source and 'many eyes' if manufacturers can effectively short-circuit the benefits in consumer applications?"
The Android platform has recently been subjected to increasing backlash among tech writers. There's a growing concern that carriers and manufacturers are hijacking the Android platform and perverting Google's intention of providing a consumer-oriented, friendly, and secure open-source mobile platform for phones and other personal electronic devices.
For 20 years, Linux advocates with a chip on their shoulder against Microsoft have talked about how open source empowers end users, administrators, and developers and frees them from the control of monopolistic, unresponsive corporations more concerned with profits than the security, safety, or stability of the platforms they sell to their customers.
For 20 years, they've talked about the freedom of installing OS platforms that don't have bundled crapware that hurt performance pre-installed on their hardware by manufacturers in lockstep with the Evil Empire of Redmond.
Yet, the largest commercial, consumer success of an open-source, Linux-based platform is Android - or at least it seems to be headed in this very direction-and the only difference this time around is that you'll be able to pick any number of large corporations who will roll you like a bum. Sometimes it might not even be clear exactly which corporation is taking advantage of you. Is it HTC? Google? Verizon? T-Mobile? AT&T? Probably.
How can this be? Isn't open source supposed to route around this kind of behavior the way that TCP/IP handles damage from a nuclear strike? How is it that Motorola or Verizon can lock end users into their vision of an Android handset with limited features, custom markets, the inability to side-load apps, and flashable ROMs that are designed with a fuse that will brick the phone if you try to root it?
Android should be open-source's moment of self realization and fulfillment. It's their chance to run to the windows (no pun intended), throw them open, and yell to the world, "WE TOLD YOU SO."
However, and I admit I take a small amount of satisfaction in this, it looks more likely that it'll be the chance for the Windows users of the world to look at the Linux community and say, "Meet the new boss, same as the old boss."
In my recent post about Linux that came to a dubious conclusion - other than to establish that the vast majority of people involved in OS platform debates are on one side or the other for any reason but logic - much of the forum discussion focused on whether or not the open source "many eyes" security model was superior to the closed source "security through obscurity" security model.
Well, if the biggest commercial success of open source is co-opted by corporations, manufacturers, and carriers - and through control of hardware, networks, and ToS agreements, they prevent users from fully realizing the benefits of open source, then it looks like - in practical application at the consumer level - "many eyes" may effectively be no different than closed source.
I can hear the uproar to this statement now, so let me elaborate. Open-source advocates will say, "The technically adept will be able to get around this." But in a consumer market, that doesn't matter. While 20 million iPhone users may have the ability to jailbreak their phones, a very small number of them actually ever do. It may be a geek ideal, but it isn't a practical reality for a popular electronic device aimed at average consumers.
Likewise, if Android has 88 serious flaws, you're at the mercy of Google, your handset manufacturer, and your carrier if you'll ever see the solution. The "open source, many eyes" model may have already determined the problems and provided solutions - but it simply isn't feasible for the vast majority of Android platform users to find those fixes on the web, via torrents or otherwise, and apply them to their devices themselves.
So, what good are open source and the many eyes security model in this situation, which is the largest commercial success open source and Linux have ever enjoyed? The kind of Linux open source arrogance that says, "Lusers who are too dumb to manage their own phones and devices deserve what they get," misses the point.
If those Lusers are the mass consumer market, and the choices are to either raise your technical skill or to be beholden to your device manufacturer and carrier, then open source ultimately fails to deliver on all of the "superiority" it has always claimed is solely inherent in its philosophical ideology of openly shared coding design.
The user experience will be insignificantly different from what they've always known. They'll have to wait for the large corporations to provide solutions - but we already know that manufacturers and carriers are slow to release fixes and that many 1st generation Android phones never received OS updates, even though they were available.
Ultimately, the net result (which is what counts) is virtually indistinguishable from the detested Microsoft closed-source model. The only difference I can see is that the flaw is public knowledge, but you still have to wait on a "monolithic" manufacturer to release the fix at their leisure, for all practical intents and purposes.
We'll hear all kinds of cop-outs, excuses, finger pointing, and blame. "I'm attacking open source and the many-eyes model, when the Android platform I predict is nothing like the ideal." And that is the problem. The "ideal" doesn't work on a large scale, in particular with multi-billion dollar revenue-generating consumer electronic platforms. It is a flawed, broken concept - an ideology that only works in special niches with highly skilled technical users... actually, administrators.
But no one wants to be the administrator of their smartphone, tablet, or TV set. No one wants to go to Source Forge, verify a checksum, download source code, and then compile and install it on their personal electronic device - that is, no one but hardcore Linux advocates.
However, if they're not doing that, and they're not getting it from a vendor, then they're putting their trust in the "many eyes" who have made a "bootleg, unauthorized" patch or upgrade. That's like downloading a Microsoft Service Pack from an unverified torrent, especially for the average Android user. They're going to remain prone to all the same risks and dangers that they faced on closed-source platforms.
"This is not the failure of the open source, many eyes model - it's a failure of the users." But this is what the users ARE, it's who they are, and they are legion, they are the mob, they are massive consumer acceptance. If "open-source, many eyes" cannot accommodate them, then it's a failure. You can't ask users to accommodate it and then blame it on them if they can't do so.
One way or another, with the direction Android is heading - even though the platform is open source and protected by many eyes - the benefit becomes moot in practical application. It's either too difficult for the target audience to leverage the benefits, or the control of delivering those benefits in a consumer-friendly package is controlled by corporations that are practicing business virtually identical to closed-source vendors.
This is a disaster for the ideals of open source, many eyes superiority. What good is inherently better security through open source and many eyes if manufacturers can effectively short-circuit the benefits in consumer applications?